Major leaks of consumer data have become a fact of life, as are the resulting fines in the mega millions and the damage to reputations that can take years to overcome. In a July 30 article, The New York Times reported there have been 3,494 successful cyberattacks already this year — a number that only includes financial institutions.
The latest, Capital One, involved a former Amazon software engineer who allegedly accessed the bank's computer network through what the bank described as a "configuration vulnerability" in its security software. The alleged thief compromised the personal information of more than 100 million people.
A new IIA Bulletin — Cloud Security, Insider Threats, and Third-party Risk — lists 10 questions chief audit executives should be ready to answer from their boards and audit committees. The Bulletin also provides a list of resources available to members, including three IIA Global Technology Audit Guides: Information Technology Outsourcing, Cybersecurity Risks, and Auditing Insider Threat Programs. The resource list also includes available training, two IIA practice guides, a book, and the link to The IIA's Cybersecurity Resource Exchange.
While vulnerabilities may continue, internal audit can help the organization resist intrusions and eliminate any thinking that the organization is defenseless against sophisticated criminals.
In the case of Capital One, reports indicate the breach of the bank's computer system was not particularly sophisticated. The alleged perpetrator accessed customer records the bank had stored on Amazon's cloud service, seemingly by exploiting a vulnerability in the firewall of a Capital One web application that connects to the Amazon Web Services cloud. Capital One representatives refused to answer questions about whether the alleged perpetrator "hacked into its systems or simply climbed through a window that had accidentally been left open."
Internal audit leaders should begin by knowing if their organization relies on cloud services in the first place and to what extent. If the cloud is used, what information is stored there, and how sensitive is it? What steps has the organization taken to ensure data in the cloud is secure? More simply, could the vulnerability have been mitigated by better patch management?
The opportunity for internal audit is to become fully versed in the critical aspects of cybersecurity — cloud, insider threats, and third-party risks, among others — not necessarily to become a technical expert, but to know enough to ask the right questions and follow up where needed. The talent shortage for resources with expertise in this space is not going away anytime soon, and failure to take action is not an option. Leverage the research and educational materials around you, step into this space, and help your organization close the windows.
That's my point of view; I'd be happy to hear yours.
To learn more about cloud security, read Internal Auditor's August cover story, "Security in the Cloud."